nach oben

Information Systems Frontiers

Erschienen in:

11.12.2019

The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence

Erschienen in: Information Systems Frontiers | Ausgabe 2/2021

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.

Vorheriger Artikel Insiders’ Adaptations to Security-Based Demands in the Workplace: An Examination of Security Behavioral Complexity

Nächster Artikel Managing Data Quality of the Data Warehouse: A Chance-Constrained Programming Approach

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Amankwa, E., Loock, M., and Kritzinger, E. 2014. “A Conceptual Analysis of Information Security Education, Information Security Training and Information Security Awareness Definitions,” in Internet Technology and Secured Transactions (ICITST), 2014 9th International Conference, pp. 248–252.

Bartel, A. P. (1994). Productivity gains from the implementation of employee training programs. Industrial relations: a journal of economy and society, 33(4), 411–425.

Blundell, R., Griffith, R., & Van Reenen, J. (1995). Dynamic count data models of technological innovation. The Economic Journal, 333–344.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.CrossRef

Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017). Organizational information security as a complex adaptive system: Insights from three agent-based models. Information Systems Frontiers, 19(3), 509–524.CrossRef

Cameron, A. C., & Trivedi, P. K. (1990). Regression-based tests for Overdispersion in the Poisson model. Journal of Econometrics, 46(3), 347–364.CrossRef

Chai, S., Kim, M., & Rao, H. R. (2011). Firms' information security investment decisions: Stock market evidence of investors' behavior. Decision Support Systems, 50(4), 651–661.CrossRef

Choi, N., Kim, D., Goo, J., & Whitmore, A. (2008). Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action. Information Management & Computer Security, 16(5), 484–501.CrossRef

Cooke, F. L., Shen, J., & McBride, A. (2005). Outsourcing HR as a competitive strategy? A literature review and an assessment of implications. Human Resource Management, 44(4), 413–432.CrossRef

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90–101.CrossRef

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.CrossRef

Eminağaoğlu, M., Uçar, E., & Eren, Ş. (2009). The positive outcomes of information security awareness training in companies—A case study. Information Security Technical Report, 14(4), 223–229.CrossRef

Gilley, K. M., & Rasheed, A. (2000). Making more by doing less: An analysis of outsourcing and its effects on firm performance. Journal of Management, 26(4), 763–790.CrossRef

Gilley, K. M., Greer, C. R., & Rasheed, A. A. (2004). Human resource outsourcing and organizational performance in manufacturing firms. Journal of Business Research, 57(3), 232–240.CrossRef

Glaveli, N., & Karassavidou, E. (2011). Exploring a possible route through which training affects organizational performance: The case of a Greek bank. The International Journal of Human Resource Management, 22(14), 2892–2923.CrossRef

Gonzalez, R., Gasco, J., & Llopis, J. (2006). Information systems outsourcing: A literature analysis. Information & Management, 43(7), 821–834.CrossRef

Herath, T., Yim, M. S., D’Arcy, J., Nam, K., & Rao, H. R. (2018). Examining employee security violations: Moral disengagement and its environmental influences. Information Technology & People, 31(6), 1135–1162.CrossRef

Holzer, H. J. (1990). The determinants of employee productivity and earnings. Industrial Relations: A Journal of Economy and Society, 29(3), 403–422.

Höne, K., & Eloff, J. H. P. (2002). What makes an effective information security policy? Network Security, 2002(6), 14–16.CrossRef

Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615–660.CrossRef

Huntley, H., Ng, F., Young, A., Tramacere, G., Blackmore, D., Petri, G., Nag, S., and Ackerman, D. E. 2016. “Forecast overview: IT outsourcing, 2016 update,” Gartner. https://www.gartner.com/doc/3450217/forecast-overview-it-outsourcing-.

Intermedia, 2015. “Intermedia’s 2015 Insider Risk Report.” https://kapost-files-prod.s3.amazonaws.com/published/562550633289114280000062/intermedias-2015-insider-risk-report.pdf?kui=OI7JDeo39LQZYGu7fhaYvg.

Jiang, B., Frazier, G. V., & Prater, E. L. (2006). Outsourcing effects on firms’ operational performance: An empirical study. International Journal of Operations & Production Management, 26(12), 1280–1300.CrossRef

Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security & Privacy, 5(3), 16–24.CrossRef

Khan, B., Alghathbar, K. S., Nabi, S. I., and Khan, M. K. 2011. “Effectiveness of Information Security Awareness Methods Based on Psychological Theories,” African Journal of Business Management (5:26), p. 10862.

Klaas, B. S., McClendon, J., & Gainey, T. W. (1999). HR outsourcing and its impact: The role of transaction costs. Personnel Psychology, 52(1), 113–136.CrossRef

Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information security: Management’s effect on culture and policy. Information Management & Computer Security, 14(1), 24–36.CrossRef

Korea Information & Security Agency. (2014). Survey on information security (business). Seoul: Ministry of Science, ICT, and Future Planning.

Kruger, H. A., & Kearney, W. D. (2006). A prototype for assessing information security awareness. Computers & Security, 25(4), 289–296.CrossRef

Lindup, K. R. (1995). A new model for information security policies. Computers & Security, 14(8), 691–695.CrossRef

Loh, L., & Venkatraman, N. (1992). Determinants of information technology outsourcing: A cross-sectional analysis. Journal of Management Information Systems, 9(1), 7–24.CrossRef

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151–156.CrossRef

Miranda, M. J. (2018). Enhancing cybersecurity awareness training: a comprehensive phishing exercise approach. International Management Review, 14(2), 5-10.

Morgan, S. (2016). One million cybersecurity job openings in 2016. Forbes, January, 2.

NIST, S. 1998. 800–16, National Institute of Standards and Technology (NIST).“ Information Technology Training Requirements: A Role-and Performance-Based Model” (NIST Special Publication 800–16).

Osgood, D. W. (2000). Poisson-based regression analysis of aggregate crime rates. Journal of Quantitative Criminology, 16(1), 21–43.CrossRef

Pahnila, S., Siponen, M., and Mahmood, A. 2007. “Employees’ Behavior towards IS Security Policy Compliance,” in System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on (pp. 156b-156b). IEEE.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, 165–176.CrossRef

Pinzon, S. 2008. Top 10 threats to SME data security. WatchGuard Technologies.

PricewaterhouseCoopers, 2015. “2015 Information Security Breaches Survey,” Technical Report. https://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf.

Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, pp., 757–778.

Rothaermel, F. T., Hitt, M. A., & Jobe, L. A. (2006). Balancing vertical integration and strategic outsourcing: Effects on product portfolio, product success, and firm performance. Strategic Management Journal, 27(11), 1033–1056.CrossRef

Rowe, B. R., and Gallaher, M. P. 2006. “Private Sector Cyber Security Investment Strategies: An Empirical Analysis,” in The Fifth Workshop on the Economics of Information Security (WEIS06).

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65–78.CrossRef

Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS quarterly, pp., 487–502.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224.CrossRef

Sommestad, T., Karlzén, H., & Hallberg, J. (2015). The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information & Computer Security, 23(2), 200–217.CrossRef

Straub Jr., D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276.CrossRef

Thomson, M. E., & von Solms, R. (1998). Information security awareness: Educating your users effectively. Information Management & Computer Security, 6(4), 167–173.CrossRef

Thouin, M. F., Hoffman, J. J., & Ford, E. W. (2009). IT outsourcing and firm-level performance: A transaction cost perspective. Information & Management, 46(8), 463–469.CrossRef

Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, pp., 1–20.

Vroom, C., and von Solms, R. 2002. “A Practical Approach to Information Security Awareness in the Organization,” in Security in the Information Society, Springer US, pp. 19–37.

Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication, 800, 50.

Yang, C. G., & Lee, H. J. 2016. A study on the antecedents of healthcare information protection intention. Information systems Frontiers, (18;2), pp.253-263.

Titel: The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence
Publikationsdatum: 11.12.2019
Erschienen in: Information Systems Frontiers / Ausgabe 2/2021
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-019-09977-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2021

Insiders’ Adaptations to Security-Based Demands in the Workplace: An Examination of Security Behavioral Complexity

Incentive Mechanism for Rational Miners in Bitcoin Mining Pool

Accommodating Practices During Episodes of Disillusionment with Mobile IT

Popular News Are Relevant News! How Investor Attention Affects Algorithmic Decision-Making and Decision Support in Financial Markets

The Influence of the Centrality of Visual Website Aesthetics on Online User Responses: Measure Development and Empirical Investigation

Seeking Foundations for the Science of Cyber Security

Premium Partner